Note Client and tag licenses are required to get contextual (such as location) information within the context-aware software. For more information, see the Release Notes for Cisco 3350 Mobility Services Engine for Software Release 7.4.100.0.

The AP801 and AP802 are integrated access points on the Cisco 800 Series Integrated Services Routers (ISRs). For more information about the stock-keeping units (SKUs) for the access points and the ISRs, see the following data sheets:

NoteThe AP802 is an integrated access point on the Next Generation Cisco 880 Series ISRs.

NoteBefore you use an AP802 series lightweight access point with controller software release 7.4.110.0, you must upgrade the software in the Next Generation Cisco 880 Series ISRs to Cisco IOS 151-4.M or later releases.

What’s New in This Release?

There are no new features or enhancements in this release. For more information about the updates in this release, see the Caveats section.

Software Release Support for Access Points

Table 1 lists the controller software releases that support specific Cisco access points. The First Support column lists the earliest controller software release that supports the access point. For access points that are not supported in ongoing releases, the Last Support column lists the last release that supports the access point.

Table 1 Software Support for Access Points

Access Points

First Support

Last Support

1000 Series

AIR-AP1010

3.0.100.0

4.2.209.0

AIR-AP1020

3.0.100.0

4.2.209.0

AIR-AP1030

3.0.100.0

4.2.209.0

Airespace AS1200

—

4.0

AIR-LAP1041N

7.0.98.0

—

AIR-LAP1042N

7.0.98.0

—

1100 Series

AIR-LAP1121

4.0.155.0

7.0.x

1130 Series

AIR-LAP1131

3.1.59.24

—

1140 Series

AIR-LAP1141N

5.2.157.0

—

AIR-LAP1142N

5.2.157.0

—

1220 Series

AIR-AP1220A

3.1.59.24

7.0.x

AIR-AP1220B

3.1.59.24

7.0.x

1230 Series

AIR-AP1230A

3.1.59.24

7.0.x

AIR-AP1230B

3.1.59.24

7.0.x

AIR-LAP1231G

3.1.59.24

7.0.x

AIR-LAP1232AG

3.1.59.24

7.0.x

1240 Series

AIR-LAP1242G

3.1.59.24

—

AIR-LAP1242AG

3.1.59.24

—

1250 Series

AIR-LAP1250

4.2.61.0

—

AIR-LAP1252G

4.2.61.0

—

AIR-LAP1252AG

4.2.61.0

—

1260 Series

AIR-LAP1261N

7.0.116.0

—

AIR-LAP1262N

7.0.98.0

—

1300 Series

AIR-BR1310G

4.0.155.0

7.0.x

1400 Series

Standalone Only

—

—

1600 Series

AIR-CAP1602I-x-K9

7.4.110.0

—

AIR-CAP1602I-xK910

7.4.110.0

—

AIR-SAP1602I-x-K9

7.4.110.0

—

AIR-SAP1602I-xK9-5

7.4.110.0

—

AIR-CAP1602E-x-K9

7.4.110.0

—

AIR-SAP1602E-xK9-5

7.4.110.0

—

AP801

5.1.151.0

AP802

7.0.98.0

AP802H

7.3.101.0

2600 Series

AIR-CAP2602I-x-K9

7.2.110.0

AIR-CAP2602I-xK910

7.2.110.0

AIR-SAP2602I-x-K9

7.2.110.0

AIR-SAP2602I-x-K95

7.2.110.0

AIR-CAP2602E-x-K9

7.2.110.0

AIR-CAP2602E-xK910

7.2.110.0

AIR-SAP2602E-x-K9

7.2.110.0

AIR-SAP2602E-x-K95

7.2.110.0

3500 Series

AIR-CAP3501E

7.0.98.0

—

AIR-CAP3501I

7.0.98.0

—

AIR-CAP3502E

7.0.98.0

—

AIR-CAP3502I

7.0.98.0

—

AIR-CAP3502P

7.0.116.0

—

3600 Series

AIR-CAP3602I-x-K9

7.1.91.0

—

AIR-CAP3602I-xK910

7.1.91.0

—

AIR-CAP3602E-x-K9

7.1.91.0

—

AIR-CAP3602E-xK910

7.1.91.0

—

600 Series

AIR-OEAP602I

7.0.116.0

Note The Cisco 3600 Access Point was introduced in 7.1.91.0. If your network deployment uses Cisco 3600 Access Points with release 7.1.91.0, we highly recommend that you upgrade to 7.2.103.0 or a later release.

1.These access points are supported in the separate 4.1.19x.x mesh software release or with release 5.2 or later releases. These access points are not supported in the 4.2, 5.0, or 5.1 releases.

The access point must always be connected to the POE-IN port to associate with the controllers. The POE-OUT port is for connecting external devices only.

Upgrading to Controller Software Release 7.4.110.0

Guidelines and Limitations

When H-REAP access points that are associated with a controller that has all the 7.0.x software releases that are prior to 7.0.240.0 upgrade to the 7.4.110.0 release, the access points lose their VLAN support configuration if it was enabled. The VLAN mappings revert to the default values of the VLAN of the associated interface. This issue does not occur if you upgrade from 7.0.240.0 or later 7.0.x release to the 7.4.110.0 release.

While a client sends an HTTP request, the Controller intercepts it for redirection to login page. If the HTTP request intercepted by Controller is fragmented, the Controller drops the packet as the HTTP request does not contain enough information required for redirection.

We recommend that you install Wireless LAN Controller Field Upgrade Software for Release 1.7.0.0-FUS, which is a special AES package that contains several system-related component upgrades. These include the bootloader, field recovery image, and FPGA/MCU firmware. Installing the FUS image requires special attention because it installs some critical firmware. The FUS image is independent of the runtime image. For more information, see http://www.cisco.com/en/US/docs/wireless/controller/release/notes/fus_rn_1_7_0_0.html .

If you are using a Cisco 2500 Series controller and you intend to use the Application Visibility and Control (AVC) and NetFlow protocol features, you must install Wireless LAN Controller Field Upgrade Software for Release 1.8.0.0-FUS. This is not required if you are using other controller hardware models. For more information, see http://www.cisco.com/en/US/docs/wireless/controller/release/notes/fus_1_8_0_0.html .

When you enable LAG on a Cisco 2500 Series Controller with which a direct-connect access point is associated, the direct-connect access point dissociates with the controller. When LAG is in enabled state, the direct-connect access points are not supported. For direct-connect access points to be supported, you must disable LAG and reboot the controller.

If LAG is enabled on the Cisco 2500 Series Controller and the controller is downgraded to a non-LAG aware release, the port information is lost and it requires manual recovery.

After you upgrade to the 7.4 release, networks that were not affected by the existing preauthentication ACLs might not work because the rules are now enforced. That is, networks with clients configured with static DNS servers might not work unless the static server is defined in the preauthentication ACL.

On 7500 controllers if FIPS is enabled, the reduced boot options are displayed only after a bootloader upgrade.

Note Bootloader upgrade is not required if FIPS is disabled.

If you require a downgrade from one release to another, you might lose the configuration from your current release. The workaround is to reload the previous controller configuration files saved on the backup server or to reconfigure the controller.

It is not possible to directly upgrade to the 7.4.110.0 release from a release that is older than 7.0.98.0.

You can upgrade or downgrade the controller software only between certain releases. In some instances, you must first install an intermediate release prior to upgrading to software release 7.4.110.0. Table 2 shows the upgrade path that you must follow before downloading software release 7.4.110.0.

Table 2 Upgrade Path to Controller Software Release 7.4.110.0

Current Software Release

Upgrade Path to 7.4.110.0 Software

7.0.98.0 or later 7.0 releases

You can upgrade directly to 7.4.110.0

Note If you have VLAN support and VLAN mappings defined on H-REAP access points and are currently using a 7.0.x controller software release that is prior to 7.0.240.0, we recommend that you upgrade to the 7.0.240.0 release and then upgrade to 7.4.110.0 to avoid losing those VLAN settings.

7.1.91.0

You can upgrade directly to 7.4.110.0

7.2. or later 7.2 releases

You can upgrade directly to 7.4.110.0

Note If you have an 802.11u HotSpot configuration on the WLANs, we recommend that you first upgrade to the 7.3.101.0 controller software release and then upgrade to the 7.4.110.0 controller software release.

You must downgrade from the 7.4.110.0 controller software release to a 7.2.x controller software release if you have an 802.11u HotSpot configuration on the WLANs that is not supported.

7.3 or later 7.3 releases

You can upgrade directly to 7.4.110.0

When you upgrade the controller to an intermediate software release, you must wait until all of the access points that are associated with the controller are upgraded to the intermediate release before you install the latest controller software. In large networks, it can take some time to download the software on each access point.

If you upgrade to the controller software release 7.4.110.0 from an earlier release, you must also upgrade to Cisco Prime Infrastructure 1.3 and MSE 7.4.

You can upgrade to a new release of the controller software or downgrade to an older release even if Federal Information Processing Standard (FIPS) is enabled.

When you upgrade to the latest software release, the software on the access points associated with the controller is also automatically upgraded. When an access point is loading software, each of its LEDs blinks in succession.

We recommend that you access the controller GUI using Microsoft Internet Explorer 6.0 SP1 (or a later release) or Mozilla Firefox 2.0.0.11 (or a later release).

Cisco controllers support standard SNMP Management Information Base (MIB) files. MIBs can be downloaded from the Software Center on Cisco.com.

The controller software is factory installed on your controller and automatically downloaded to the access points after a release upgrade and whenever an access point joins a controller. We recommend that you install the latest software version available for maximum operational benefit.

Ensure that you have a TFTP, FTP, or SFTP server available for the software upgrade. Follow these guidelines when setting up a server:

– Ensure that your TFTP server supports files that are larger than the size of the controller software release 7.4.110.0. Some TFTP servers that support files of this size are tftpd32 and the TFTP server within the Prime Infrastructure. If you attempt to download the 7.4.110.0 controller software and your TFTP server does not support files of this size, the following error message appears: “TFTP failure while storing in flash.”

– If you are upgrading through the distribution system network port, the TFTP or FTP server can be on the same or a different subnet because the distribution system port is routable.

When you plug a controller into an AC power source, the bootup script and power-on self-test run to initialize the system. During this time, you can press Esc to display the bootloader Boot Options Menu. The menu options for the 5500 differ from the menu options for the other controller platforms.

Bootloader Menu for 5500 Series Controllers:

Boot Options

Please choose an option from below:

1. Run primary image

2. Run backup image

3. Change active boot image

4. Clear Configuration

5. Format FLASH Drive

6. Manually update images

Please enter your choice:

Bootloader Menu for Other Controller Platforms:

Boot Options

Please choose an option from below:

1. Run primary image

2. Run backup image

3. Manually update images

4. Change active boot image

5. Clear Configuration

Please enter your choice:

Enter 1 to run the current software, enter 2 to run the previous software, enter 4 (on a 5500 series controller), or enter 5 (on another controller platform) to run the current software and set the controller configuration to factory defaults. Do not choose the other options unless directed to do so.

Note See the Installation Guide or the Quick Start Guide for your controller for more details on running the bootup script and power-on self-test.

The controller bootloader stores a copy of the active primary image and the backup image. If the primary image becomes corrupted, you can use the bootloader to boot with the backup image.

With the backup image stored before rebooting, be sure to choose Option 2: Run Backup Image from the boot menu to boot from the backup image. Then, upgrade with a known working image and reboot the controller.

Control which address(es) are sent in CAPWAP discovery responses when NAT is enabled on the Management Interface using the following command:

config network ap-discovery nat-ip-only { enable | disable }

where:

– enable — Enables use of NAT IP only in a discovery response. This is the default. Use this command if all APs are outside of the NAT gateway.

– disable —Enables use of both NAT IP and non-NAT IP in a discovery response. Use this command if APs are on the inside and outside of the NAT gateway; for example, Local Mode and OfficeExtend APs are on the same controller.

Note To avoid stranding APs, you must disable AP link latency (if enabled) before you use the disable option for the config network ap-discovery nat-ip-only command. To disable AP link latency, use the config ap link-latency disable all command.

You can configure 802.1p tagging by using the config qos dot1p-tag { bronze | silver | gold | platinum } tag. For the 7.2.103.0 and later releases, if you tag 802.1p packets, the tagging has impact only on wired packets. Wireless packets are impacted only by the maximum priority level set for QoS.

You can reduce the network downtime using the following options:

– You can predownload the AP image.

– For FlexConnect access points, use the FlexConnect AP upgrade feature to reduce traffic between the controller and the AP (main site and the branch). For more information about the FlexConnect AP upgrade feature, see the Cisco Wireless LAN Controller FlexConnect Configuration Guide .

Note Predownloading a 7.4.110.0 version on a Cisco Aironet 1240 access point is not supported when upgrading from a previous controller release. If predownloading is attempted to a Cisco Aironet 1240 access point, an AP disconnect will occur momentarily.

Do not power down the controller or any access point during the upgrade process; otherwise, you might corrupt the software image. Upgrading a controller with a large number of access points can take as long as 30 minutes, depending on the size of your network. However, with the increased number of concurrent access point upgrades supported, the upgrade time should be significantly reduced. The access points must remain powered, and the controller must not be reset during this time.

If you want to downgrade from the 7.4.110.0 release to a 6.0 or an older release, do either of the following:

– Delete all WLANs that are mapped to interface groups and create new ones.

– Ensure that all WLANs are mapped to interfaces rather than interface groups.

After you perform these functions on the controller, you must reboot the controller for the changes to take effect:

– Enable or disable link aggregation (LAG)

– Enable a feature that is dependent on certificates (such as HTTPS and web authentication)

– Add a new license or modify an existing license

– Increase the priority for a license

– Enable the HA

– Install SSL certificate

– Configure the database size

– Install vendor device certificate

– Download CA certificate

– Upload configuration file

– Install Web Authentication certificate

– Changes to management or virtual interface

– TCP MSS

Upgrading to Controller Software Release 7.4.110.0 (GUI)

Step 1 Upload your controller configuration files to a server to back them up.

Note We highly recommend that you back up your controller’s configuration files prior to upgrading the controller software.

Step 9 In the IP Address text box, enter the IP address of the TFTP, FTP, or SFTP server.

Step 10 If you are using a TFTP server, the default values of 10 retries for the Maximum Retries text field, and 6 seconds for the Timeout text field should work correctly without any adjustment. However, you can change these values if desired. To do so, enter the maximum number of times that the TFTP server attempts to download the software in the Maximum Retries text box and the amount of time (in seconds) that the TFTP server attempts to download the software in the Timeout text box.

Step 11 In the File Path text box, enter the directory path of the software.

Step 12 In the File Name text box, enter the name of the software file ( filename .aes).

Step 13 If you are using an FTP server, follow these steps:

a. In the Server Login Username text box, enter the username to log on to the FTP server.

b. In the Server Login Password text box, enter the password to log on to the FTP server.

c. In the Server Port Number text box, enter the port number on the FTP server through which the download occurs. The default value is 21.

Step 14Click Download to download the software to the controller. A message appears indicating the status of the download.

Datagram Transport Layer Security (DTLS) is required for all Cisco 600 Series OfficeExtend Access Point deployments to encrypt data plane traffic between the APs and the controller. You can purchase Cisco Wireless LAN Controllers with either DTLS that is enabled (non-LDPE) or disabled (LDPE). If DTLS is disabled, you must install a DTLS license to enable DTLS encryption. The DTLS license is available for download on Cisco.com.

Important Note for Customers in Russia

If you plan to install a Cisco Wireless LAN Controller in Russia, you must get a Paper PAK, and not download the license from Cisco.com. The DTLS Paper PAK license is for customers who purchase a controller with DTLS that is disabled due to import restrictions but have authorization from local regulators to add DTLS support after the initial purchase. Consult your local government regulations to ensure that DTLS encryption is permitted.

NotePaper PAKs and electronic licenses available are outlined in the respective controller datasheets.

Features Not Supported on Cisco Flex 7500 Controllers

Static AP-manager interface

Note For Cisco 7500 Series controllers, it is not necessary to configure an AP-manager interface. The management interface acts like an AP-manager interface by default, and the access points can join on this interface.

Access points in the following modes: Local, Rogue Detector, Sniffer, Bridge, and SE-Connect

NoteAn AP associated with the controller in local mode should be converted to FlexConnect mode or Monitor mode, either manually or by enabling the autoconvert feature. On the Flex 7500 controller CLI, enable the autoconvert feature by entering theconfig ap autoconvert enable command.

Mesh

Spanning Tree Protocol (STP)

Cisco Flex 7500 Series Controller cannot be configured as a guest anchor controller. However, it can be configured as a foreign controller to tunnel guest traffic to a guest anchor controller in a DMZ.

Multicast

Note FlexConnect local switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect access points do not limit traffic that is based on IGMP or MLD snooping.

PMIPv6

802.11w

Features Not Supported on Cisco 8500 Controllers

Cisco 8500 Series Controller cannot be configured as a guest anchor controller. However, it can be configured as a foreign controller to tunnel guest traffic to a guest anchor controller in a DMZ.

TrustSec SXP

Internal DHCP server

Features Not Supported on Cisco Wireless Controller on Cisco Services-Ready Engine

Wired guest access

Cisco Wireless Controller on Cisco Services-Ready Engine (SRE) cannot be configured as a guest anchor controller. However, it can be configured as a foreign controller to tunnel guest traffic to a guest anchor controller in a DMZ.

Bandwidth contract

Access points in direct connect mode

Service port support

AppleTalk Bridging

LAG

Application Visibility and Control (AVC)

Features Not Supported on Cisco Virtual Wireless Controllers

Data DTLS

Cisco 600 Series OfficeExtend Access Points

Wireless rate limiting (bandwidth contract)

Internal DHCP server

TrustSec SXP

Access points in local mode

Mobility/guest anchor

Multicast

Note FlexConnect local switched multicast traffic is bridged transparently for both wired and wireless on the same VLAN. FlexConnect access points do not limit traffic that is based on IGMP or MLD snooping.

Caveats

The following sections lists Open Caveats and Resolved Caveats for Cisco controllers and lightweight access points for version 7.4.110.0. For your convenience in locating caveats in Cisco’s Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation might be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms might be standardized.

Spelling errors and typos might be corrected.

NoteIf you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

Condition : When the service provider domain name is more than 32 characters, the controller web GUI displays duplicate entries. This issue occurs in only the controller web GUI.

Workaround : Use controller CLI.

CSCud48146

Symptom : On the controller, when limiting the “Max Concurrent Logins for a user name” to 1, for example to avoid using the same username more than once for web authentication, there is a possibility to ignore this setting for 802.1x authentication by setting “max-login-ignore-identity-response” to the enabled state. The “max-login-ignore-identity-response” feature does not work as expected and the global “Max Concurrent Logins for a user name” still takes precedence.

Condition : Unknown.

Workaround : Increase the global “Max Concurrent Logins for a user name” to a desired number.

CSCud48620

Symptom : On a channel with high utilization and interference numbers, the RRM DCA algorithm might not change the channel when it should. As a result, the channel assignment for a few access points may be suboptimal, which can negatively impact performance.

Condition : If a channel change that is required to avoid the high utilization or interference has an adverse effect on the RF neighborhood, it might prevent the channel change. Release 6.0.182.0.

Workaround : Configure DCA back to aggressive mode.

CSCud57238

Symptom : The Cisco 602 OEAP’s Ethernet Counter stops incrementing after they reach the maximum value for a 32-bit signed integer (2147483647).

Note This does not affect the operation of the AP or the Ethernet traffic.

Condition : Unknown.

Workaround : Reset the counters by rebooting the Cisco 602 OEAP.

CSCue50917

Symptom : When a RAP loses its wired connection, the RAP fails to restore connectivity as a MAP through the radio backhaul. The mesh adjacency is correctly built to a nearby MAP, and the RAP gets an IP address and can even join its controller, but shortly afterwards a radio reset is observed which causes the RAP to disconnect. The RAP goes into a loop till the wired connectivity is restored. Error messages similar to the following are displayed on the RAP console:

The Syslog server entry is removed using the controller GUI while it is unreachable, but the controller still considers it to be “connected”, as per “TLS auth status” that can be seen by entering the show logging command on the controller CLI.

Condition : Wired computers plugged into the Layer 2 switch connected to the remote LAN port communicate with each other with only pings.

Workaround : Configure static ARP entries to prevent the MAC flap.

CSCud86140

Symptom : AP intermittently does not send probe response when there are other APs in the neighborhood on the same channel.

Condition : There need to be other APs or traffic on the same channel for this issue to occur.

Workaround : If the client hears probes from other surrounding APs, the client should be able to join another AP. Some NICs might prefer to hear probes from a specific AP. Even with the AP having the issue, eventually, the probe response might be transmitted after a few attempts.

CSCud89654

Symptom : On a local-switching-enabled 802.1X WLAN, if the clients associate with a local AP (not FlexConnect AP), after successful authentication, only url-redirect attributed is accepted by the controller, not url-redirect-acl attribute, which causes failures on redirection thereafter.

Workaround : Disable local switching on the WLAN. You will have to segregate the local AP from FlexConnect APs on different controllers, making it an impossible solution to mix them together on a single controller.

CSCud97325

Symptom : Cisco AP3600 and Cisco AP2600 send invalid frames sourced with address 0000.0104.xxxx. This might result in security warnings on the switch, such as the following:

%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet3/46, new MAC address (0000.0104.d634) is seen.

Condition : This issue occurs when the primary or secondary controller is changed in the AP High Availability tab. This issue is observed with only Cisco Aironet 2600 and 3600 Series access points.

Workaround : None.

CSCue02826

Symptom : The 5-GHz radio on AIR-CAP1552E-N-K9 in the non-Bridge mode fails to enable if the controller is configured for Brazil (-T) Regulatory Domain.

Condition : Release 7.3.101.0.

Workaround : Use the Bridge mode in the AP.

CSCue09354

Symptom : Rogue AP does not get detected on the wired network when it is on non-native VLAN trunk to rogue detector AP.

The first page shows correctly, but it is not possible to browse to the subsequent pages.

Workaround : On the controller CLI, enter the show rogue adhoc summary command.

CSCue55153

Symptom : Controller stops communicating with CAM with SNMPv3.

Condition :

1. Enable HA.

2. Add controller to CAM with SNMPv3 (should have an authorization and authentication passwords)

3. Failover from primary to secondary controller.

Workaround : Delete and add the controller in CAM again.

CSCuf35269

Symptom : The 802.11u domain is lost after a controller reboot.

Condition : Same domain name is used on two different WLANs. This is allowed on CLI, but configuration validation fails on boot.

Workaround : Reconfigure the domain, or use different domain names.

CSCuf74326

Symptom : Cisco Virtual Wireless Controller is given a valid license with an AP count. Installation of the controller is successful, and the show license summary command shows the license in use with the correct count. However, the homepage of the controller GUI shows “0 access points supported” and APs are denied association with the controller.

Condition : This issue occurs only when you provide a license file that contains only adder licenses and not the base feature.

Symptom : After a Cisco AP reboot, the radio which was disabled before Cisco AP reboot is somehow reenabled automatically. This occurs when the Cisco AP belongs to an RF profile.

Condition : Cisco AP joins nondefault AP group and the AP group has the RF profile.

Workaround : Disable radio on AP again after the reboot.

CSCug59937

Symptom : Controller reboot with traceback tpcv2ConstructApProfile.

Condition : TPCv2 in an enabled state.

Workaround : None.

CSCug82976

Symptom : Cisco APs that are configured with submode PPPoE are losing the submode configuration (Submode = Unconfigured) after moving from one controller to another or after rebooting the Cisco AP when associating with the second controller.

Symptom : Controller might trigger a reaper reset crash at “apfFindRogueApEntry” while adding rogue rules on the controller, due to a deadlock condition.

Condition : Adding rogue rules on the controller.

Workaround : None.

CSCuh14797

Symptom : In Export Anchor-Foreign scenario, in both Foreign to Foreign as well as fresh association to a Foreign, if packets are not reaching to Export Anchor due to network issues, then after three retries, there will not be any further exchange. The request will go to Export Anchor and the client will stay in that state until it moves out.

Condition : While running dynamic rf-group between an HA Cisco WiSM2 controller and Cisco 5500 Series standalone controller, enter the show advanced 802.11a group command in the standalone controller CLI. On a forced switchover, the standby controller stopped working.

1. An HA Cisco Flex 7500 Series Controller using Build 7.4.100.105 and a Cisco AP3600 in FlexConnect mode associated with it.

2. Schedule a reset in the active controller using 'reset system in 00:03:00 image no-swap reset-aps save-config’

3. At the scheduled time, the Cisco AP3600 gets a reset push from the controller. While the AP reboots, incorrect data tracebacks are observed in the Cisco AP and the Cisco AP stops working. Later, the Cisco AP associates with the controller.

Traceback seen at the reboot following the VLAN tagging configuration from the controller.

Workaround : None.

CSCuh44430

Symptom : SE-Connect mode APs show up as Local mode in GUI after fallback because after the fallback the CleanAir Admin and Oper Status becomes “NA” instead of UP. The Network Spectrum Key is not available and it shows up as Local Mode in GUI. Spectrum Analyzer is unable to connect to the SE-Connect mode APs.

Condition : Reboot the controller and then let the SE-Connect APs associate with the controller.

Workaround :

1. Reboot the Cisco AP.

2. After the reboot, the Cisco AP shows correct Mode of “SE-Connect” and also Network Spectrum Key is available.

CSCuh89626

Symptom : Client displays the following message:

“Ignoring 802.11 assoc request from mobile radio is NOT enabled”

Condition : Cisco AP is operational, but the controller shows the Cisco AP as nonoperational.

Workaround : Disable the Cisco AP and then reenable it.

More Information : This issue is only observed after three or more days of continuously disabling and then enabling the radio state every minute on internal testing.

CSCui25877

Symptom : Radio PCI resets are observed on Cisco AP1600.

Condition : PCI resets on Cisco AP1600 with high load.

Workaround : None.

CSCui32908

Symptom : A Cisco AP stopped working and then rebooted.

Condition : Unknown.

Workaround : Unknown. Check any CDP events on the connected switch.

CSCug90218

Symptom : In the controller GUI, access points appear in an unknown state.

Condition: Unknown.

Workaround : Reboot the controller.

CSCug92421

Symptom : Controller reports many stale client entries.

Condition: Cisco Flex 7500 Series Wireless Controllers with Release 7.3.103.14 having many clients.

Workaround : None.

CSCug98625

Symptom : WebAuth redirect fails when local switching is enabled on a WLAN. Manual redirect and redirect with central switching works.

Condition: Local switching is enabled on a WLAN.

Workaround : Add a dummy interface on the controller with the IP address of the VLAN that is locally switched for the client. The VLAN IDs need not be the same, however, the IP addresses must be same. The VLAN must be trunked to the controller.

CSCuh02340

Symptom : CleanAir status appears as N/A even when the access point supports and enables CleanAir.

Condition: This issue occurs when the access points join a primary or secondary controller after the power goes down or a network problem arises.

Workaround : Disable or reenable the access point radio to recover the CleanAir status on the controller.

Symptom : In an HA-enabled 5508 controller with 430 access points, when you perform predownload on all the access points, the controller does not reset.

Condition: High AP count and failed predownlaod.

Workaround : Reboot the controller using the reset system forced command.

CSCuh26716

Symptom : The show redundancy summary command shows the following output regardless of its real SKU.

Unit = Secondary - HA SKU

Condition: When you use the show redundancy summary command on:

Secondary machine which is converted from a primary machine

HA-SKU machine

Workaround : None.

CSCuh28190

Symptom : AP stopped working once and the log was found on the controller and TFTP server.

Condition: Unknown.

Workaround : None. Access point resets on its own.

CSCuh31410

Symptom : Access point radio resets during the FlexConnect state change.

Condition: Restore access point connectivity to controller.

Workaround : None.

CSCuh39893

Symptom : Controller on Release 7.3 or 7.4 fails to authenticate the One Time Password (OTP) users authenticating with TACACS+. The following debug output is displayed when you use the debug aaa tacacs enable command:

TPLUS_AUTHEN_STATUS_GETPASS

auth_cont get_pass reply: pkt_length=25

processTplusAuthResponse: Continue auth transaction

No auth response from: <SERVER IP>, retrying with next server

Preparing message for retransmit. Decrypting first

Forwarding request to <SERVER IP> port=4900

AUTH Socket closed underneath

No auth response from: <SERVER IP>, retrying with next server

Preparing message for retransmit. Decrypting first

Forwarding request to <SERVER IP> port=4900

AUTH Socket closed underneath

Exhausted all available servers for Auth/Author packet

Condition: This issue occurs in the following Condition:

1. Controller uses Release 7.3 or 7.4.

2. TACACS+ is used for management user authentication.

3. OTP is used for TACACS+. Static passwords are not affected.

Workaround :

Extend the TACACS+ management server timeout value by using the following commands:

config tacacs auth disable server-index

config tacacs auth mgmt-server-timeout server-index 10

config tacacs auth enable server-index

CSCuh41053

Symptom : When there is duplex mismatch between a Cisco Aironet 1140 Series Access Point port and an upper layer switch port, the following warning appears on the switch, controller, and access point:

duplex mismatch discovered

However, when the controller is upgraded to Release 7.4.x, the warning message is not logged to controller.

Workaround : Manually enter the line in the config file or modify the configuration directly on the controller using the CLI or the GUI.

CSCuh45072

Symptom : Cisco 5508 controller in an HA configuration with two AAA servers sends TACACS+ authentication and authorization requests to different AAA servers. Users using TACACS+ account are unable to login to controller, as the controller sends authentication request to one AAA server, and authorization and accounting request is sent to another AAA server configured in the controller.

Condition: This issue occurs in the following Condition:

1. HA configured on the controller.

2. Users log onto the controller using TACACS+.

3. Two or more AAA servers are defined in the controller TACACS+ authentication and authorization server list.

Workaround : None.

CSCuh46996

Symptom : Wired clients behind a third party WGB device fail to get an IP address.

Condition:

Third party bridge associates to an access point in H-REAP (FlexConnect) local switching mode.

Controller is using release higher than Release 7.0.116.0.

Workaround : None.

CSCuh49135

Symptom : Beacon loss in Cisco AP1130.

Condition: Cisco AP 1130 in FlexConnect mode.

Workaround : None.

CSCuh50219

Symptom : In a mesh topology, RAP-MAP1- MAP2 (all are 1522 access points using 5 GHz backhaul), when MAP1 does not have an Ethernet bridge client then MAP2 connects to MAP1 and joins the controller. However, when MAP1 has an Ethernet bridge client then MAP2 fails to connect to MAP1 to join the controller. The authentication process between MAP2 and MAP1 is never completed in this case.

The issue also appears regardless of the radio used for backhaul (both 5 GHz and 2 GHz backhaul).

Condition: Only on 1520 series access points.

Workaround : None.

CSCuh51208

Symptom : On an HA pair, when the standby unit is active, the evaluation license remaining time warning is displayed.

Condition: Unknown.

Workaround : None. The HA controller continues to work as the local licenses are not used for access point join validation.

CSCue38133

Symptom : Controller sends a message that the APs should be moved to a primary controller, after 90 days of an AP joining the controller.

Condition: This occurs when a HA-SKU controller is used as a secondary controller in a N1 configuration and an AP has joined the controller.

Workaround : None.

CSCue51838

Symptom : Flash is not accessible for Cisco AP1520 or Cisco AP1550. The APs will continuously write the following flash error to the console:

However, when you see the show controllers output, it shows that the power level 1 is 13dbm on 3 antennas (8dbm per antenna). Comparing show controllers output with 3600e, clearly shows that 1600AP has less tx power. Field tests also show it has a much smaller coverage area. This is on 2.4ghz. 5ghz power is meeting expectations. This was noted in -E reg domain. Also, on modifying the antenna gain has no effect at all on Tx power.

Condition: This occurs in controller 7.4.100 code. European regulatory domain in countries where the expected power level is 17.

Condition: This occurs in controller 7.4.x. When clients begins the WebAuth/Passthrough process by going to a web page that has cached their credentials in a cookie (such as “remember me” at www.yahoo.com).

Workaround : Use a website that does not cache credentials in cookies. Clear the client's cookies for that particular website or all websites. Downgrade controller to controller 7.0/7.2/7.3.

CSCug80814

Symptom : The foreign controller does not respond to ARP from foreign export client to a local client being on the same VLAN.

Condition:

Client1 associates with WLC1 (local)

Client1 performs Layer 3 roam to WLC2 (WLC2: foreign / WLC1: anchor)

Client2 associates with WLC2 (local)

Initiate traffic, that is ping from Client1 to Client2

Workaround : None.

CSCug86995

Symptom : SRE controller gives an option to configure the “External NAT IP State” and “External NAT IP Address” in the management interface. AP placed in the public domain will not be able to join the SRE. This is because the controller discovery response includes only the controller private IP address. Moreover, the option of enabling or disabling only the ap-discovery nat ip is not available in CLI. “config network ap-discovery nat-ip-only enable/disable”.

Condition: Unknown.

Workaround : Do not place SRE-controller behind NAT even though the GUI allows you to configure it.

CSCug89084

Symptom : Clean Air sensor goes down and requires a reboot.

Condition: First found on monitor mode APs.

Workaround : Reboot the AP.

CSCub26289

Symptom : Controller changes the overlapping subnet interfaces IP addresses to all zeros without raising any visible alarm on GUI/CLI or any message on msglog/traplog or “show invalid-config”.

Symptom : Client sending TCP SYN to a Multicast MAC for its gateway results in the controller not sending a TCP SYN ACK. TCP Handhsake does not complete and hence the client never generates HTTP traffic and is never redirected. Traffic is seen arriving at foreign and sending to anchor. The anchor ignores/drops the TCP SYN.

Condition: Controller Foreign/Anchor doing Central Web Authentication. When a client has a Multicast MAC address for gateway, this issue occurs. This is usually the result of having a load-balance/clustered node for the gateway of a client.

Condition: Autonomous AP running software version 15.2. Clock information is lost even when “clock save interval” is configured. This is important for WGB situations where the AP must use certificate-based authentication (EAP-TLS, PEAP), and the certificate validation fails the time check.

Workaround : Perform the following:

1. Manually configure the clock after an AP reboot.

2. Configure SNTP for applications where AP is not operating as WGB with certificate-based authentication by entering this command on the AP console:

ap(config)#sntp server a.b.c.d {version 1|2|3}

CSCuc81022

Symptom : The LAP1520 outdoor mesh APs gets false DFS triggers when in-band/off-channel (ch 124) weather RADAR signals are present and received above -20 dBm, causing network instability. A similar behavior was observed with off-band maritime radars operating in the 3.05 GHz band, but this can be addressed with Band-pass filters installed at the antenna port.

Symptom : The local AAA sever of the controller shows the outer username of wireless user who authenticates using local EAP.

Condition: When using local EAP on the controller.

Workaround : Disable identity protection on the wireless client to use the same username for the inner and outer EAP username. For local EAP, inner username will be shown in the clients page or in show client detailed mac-addr

CSCud10611

Symptom : High number of client exclusions can prevent configuration changes from being applied to Access Points.

Condition: High number of client exclusions and access points joined the to controller.

Symptom : Cisco Flex 7510 Series Wireless LAN Controller stops working when it is part of a HA pair. After this, the controller reloads and becomes active.

Condition: Controller is part of an HA pair.

Workaround : None.

CSCud23342

Symptom : When a Cisco 1142 lightweight access point joins to a 2504 controller, the access point name that appears in the Wireless page is different from the name that appears in the Monitor > Statistics > AP Join page. Some access point MAC address characters are appended to the access point name, or multiple entries are created with different base radio MAC addresses.

Condition: Controller with 7.0.235.0 image.

Workaround : None.

CSCud26706

Symptom : After High Availability (HA) failover, the show redundancy peer-route summary command does not show any service port routes. This issue is applicable to Cisco 8500 Series Wireless LAN Controller.

Condition: The service port routes doesn't exist after High Availability (HA) failover.

Condition: When there is a timeout of LDAP authentication on the configured WLAN LDAP server.

Workaround : Use 1 LDAP sever/OU for all users or use RADIUS authentication.

CSCud37443

Symptom : Clients are able to connect in b/g band even though Radio Policy for a SSID specifically set to “a only”.

Condition: Create a WLAN with radio policy set to “a only” Configure the phones/clients in b/g mode and they successfully connect.

Workaround : None.

CSCud41334

Symptom : The Ethernet bridged client of Mesh AP (MAP) does not work.

Condition: If the Ethernet bridged client (for example, a PC) has been plugged into the Ethernet port of a MAP before MAP joins the controller, then the client will not work. The issue is seen on a AP1140, AP3500 and AP3600 (all indoor mesh APs). The issue is not seen on AP1552 (outdoor mesh AP).

Workaround : Ensure that the bridged client is not plugged into the MAP Ethernet port, and then reload the MAP. Let MAP join the controller before plugging the client into the MAP Ethernet port. The client gets a valid IP address and should respond to pings.

CSCud44269

Symptom : AP sending ARP responses for a client in DHCP required state

Condition: Crash happens under normal condition without any changes in hardware or software configuration or network topology.

Workaround : None.

CSCuh56264

Symptom : Client disassociated from fast transition roam due to key failure. This issue occurs only when both PMF and FT are supported.

Condition: Client has negotiated both PMF and FT capabilities with the access point.

Workaround : Disable PMF or FT.

CSCuh65005

Symptom : When the client is not authenticated by RSA/RADIUS server using webauth, Cisco controller places the client in RUN state. This issue is caused by the usage of two factor authentication.

Condition: Unknown.

Workaround : Non-usage of two factor authentication. Cisco controller does not support two factor authentication.

CSCuh69558

Symptom : While enabling a AAA over-ride in the WLAN during foreign controller-interface mapping on a guest access configuration, the anchor controller uses the default interface configuration to assign IP address to the client if the AAA server does not send any interface details.

Symptom : Controller marks an interface in a group as dirty even when a response is received from the DHCP server. This issue is observed when some clients insist on requesting an IP unlisted in the connected interface range in a flood. The controller forwards the DHCP NAK responded by the DHCP server when a request is made. However, the interface will still be marked as dirty.

Condition: Unknown.

Workaround : None.

CSCuh76898

Symptom : When an access point is in FlexConnect Local Switching mode with disabled VLAN support, client communication is lost when access point switches over from one controller to another.

Condition: Unknown.

Workaround : None.

CSCuh78753

Symptom : When an access point is in FlexConnect mode and has continuous association/re-association of clients with flapping WAN connection, access point may crash at the following decode:

Symptom : When an access point receives authentication request from a client that database is about to be freed/deleted, the access point should not respond with auth response for a disabled BSSID.

Condition: Unknown.

Workaround : None.

CSCuh87571

Symptom : Image upgrade fails in a high availability environment even when the standby is up and running. The standby HOT does not display any image download activity.

Condition: Occurs on AP 5508/Wism2 high availability environment .

Workaround : Reset the system and retry the image download.

CSCuh92835

Symptom : While trying to change Layer2 and Layer3 policies on any two similar WLAN, an error message "WLAN with duplicate SSID and Layer2 security policy found."is displayed.

Condition: Occurs on AP 5508/WiSM2 high availability environment .

Workaround : Perform the following workaround:

1. Change WLAN configuration from the CLI. You must disable both the WLANs from the GUI and enable the WLANs again after you complete the configuration again.

2. Delete the existing WLAN and re-create another WLAN using the GUI.

CSCuh93838

Symptom : WebAuth redirect fails when a FlexConnect access point joins the Cisco controller using the IP address from the DHCP server after a reload. A reload occurs when the FlexConnect AP with static IP address has lost connectivity to Cisco controller and the default gateway.

Condition: Unknown.

Workaround : Reload the FlexConnect access point.

CSCuh94259

Symptom : While enabling an mDNS profile on an interface group, an error "Active WLAN using interface group. Disable WLAN first" is displayed when an interface group is already mapped to a WLAN or an access point.

Condition: Usage of mDNS gateway on interface group.

Workaround : Ensure that you remove, add, and enable mDNS on the interface group before further use.

Symptom : Clients are unable to associate to the access point radio. The access point continues to beacon, but when the client sends an 802.11 authentication frame, the access point fails to respond with an authentication response. This issue occurs when the use of the current transmit queues is equal to the limit - the radio is unable to transmit.

Condition: Unknown.

Workaround : You must perform the following workaround:

1. Write a script that goes out to each access point and monitors the usage of the radio transmit queues. If a radio is found whose transmit queue utilization is nearing its limit, then issue the following command:

clear interface <interfacename>

2. Manually reset the AP's impacted radio.

CSCui08633

Symptom : Access point information in an access point group does not match when verified in GUI and CLI.

Condition: Unknown.

Workaround : Perform an upgrade.

CSCui09037

Symptom : Client IP on controller does not get updated after executing the 7.3.101.0 upgrade.

Condition: WLAN is used for mobile device, H-REAP local switching, but the DHCP server is central.

Workaround : Synchronization will happen after some time.(20-30 minutes).

CSCui10841

Symptom : The access point arranges a bandwidth for SIP phone, though not on the phone.

Condition: Unknown.

Workaround : None.

CSCsv54436

Symptom : While trying to connect Wireless LAN (WLAN) controller through SSH, the connection fails. If retried immediately from the same system to controller, the connection succeeds.

Condition:

The SSH connection is made from a different Layer 3 network. The issue is found in the Cisco 4400 and 2106 Series Controllers.

Workaround : Retry SSH connection.

CSCsy66246

Symptom : An 802.11n AP does not downshift rates for retries when low latency MAC is enabled. The AP sends three retransmissions but the data rate for retransmissions is the same as the data rate at which the initial packet was sent.

Condition: Using an 802.11n AP with low latency MAC enabled.

Workaround : Do not enable low latency MAC.

CSCtn52995

Symptom : H-REAP reached a maximum limit on the association ID for AP.

Condition:

1. Client 1 is associated to the controller with AID as 1 on SSID x.

2. Cl ient 1 sends 802.11 auth frame on ssid y, at this point AID as 1 is freed at the AP. Auth frames are not honored at the controller, so controller is not informed.

3. No association frame arrives from client 1 at SSID 2.

4. Client 2 associates to the AP and gets AID as 1.

5. AP updates the controller about client 2 and AID as 1, at this point the controller adds duplicate entries and increments the count (controller already has client 1 AID =1).

6. Counter is getting incremented and reaching 256. It is due to the network conditions in which the 802.11 authentication frames are sent (sometimes on a different WLAN) but is not followed by association frames.

Workaround : None.

CSCtq32444

Symptom : When a port in a LAG goes down and then comes up, the controller does not send an UP trap through SNMP.

Condition: Distribution ports are configured in a LAG and an SNMP trap receiver is configured.

Workaround : Use the show traplog command to view traplog on controller for the UP trap.

CSCtw67184

Symptom : While booting up the controller, you might view the following message on the attached monitor or on the serial console:

All the disks from your previous configuration are gone. If this is an unexpected message, then please power off your system and check your system and check your cables to ensure all disks are present.

Press any key to continue or C to load the configuration utility.

When the Space key is pressed, the system could not boot from the disk.

Condition: The controller might have passed through an accidental power interruption. Upon reboot, the RAID card could not find its configuration in the flash memory and therefore it could not boot.

Workaround : When you encounter the situation, you must enter into the RAID management tool called WebBIOS. There are two versions of the tool available:

One that uses extensive menus and requires an attached monitor.

Another one that is completely based on the command-line interface (CLI). The CLI version can be accessed from the serial console. The prompt appears right after the message. Enter into the CLI version of the WebBIOS utility by pressing Ctrl-Y and then entering the following command: -CfgForeign -Import -a0.

CSCtx68850

Symptom : After upgrading to the controller (release 7.2), when trying to connect the controller through SSH, the connection fails randomly, the prompt for username is displayed, and then SSH session gets closed from the controller side.

Symptom : If you use the clear ap config CLI command or the clear all config option under the Set to Factory Defaults page in the GUI on an indoor AP that has been configured for mesh (bridge) mode, the AP remains in bridge mode.

Condition: An indoor AP that has been configured for mesh.

Workaround : You can perform one of the following ways:

Remove the IOS_STATIC_AP_MODE environmental variable from the AP. This can be done on the console by reloading the AP, escaping into the bootloader, and entering the bootloader command: ap: unset IOS_STATIC_AP_MODE .

Copy flash:env_vars from the AP to a TFTP server, edit the file to remove the IOS_STATIC_AP_MODE line, and copy the file back. Then, clear the AP config. When the AP reboots, it should be back to factory defaults.

CSCub87374

Symptom : APs may not be able to join controller (with release 7.2 or 7.4) and the controller indicates the limit for maximum APs supported is reached.

Condition: Controller indicates the limit for maximum APs supported is reached when it has not been reached as indicated in the show license capacity command.

Workaround : Reboot the controller with evaluation license.

CSCuc68995

Symptom : A wireless webauth client is unable to authenticate to the network. When the client opens a browser window, the window is blank.

Using the debug web-auth redirect command, the messages similar to the following appears:

Condition: The HTTP GET from the client is arriving at the controller in multiple TCP segments.

Workaround : Either reconfigure your network or the client's TCP/IP stack, or the both to ensure that the HTTP GET arrives in a single segment.

CSCuc80103

Symptom : WiSM2 is unreachable and unable to ping. All APs are dropped from the controller, and unable to ping the Management interface's gateway (through console) at the time of failure. Failure condition will recover on it's own typically within minutes.

Condition: Cisco WiSM2 using Release 7.3.101.0.

Buffer pool leak messages are printed within the msglog around the time of the failure:

Condition: Varying power levels in different channels of the new access points. The controller detects more neighbors with high RSSIs on channels with higher power.

Workaround : None.

CSCud56753

Symptom : In a VMWare ESX cluster, when migrating a vWLAN controller from one host to another via vMotion, the vWLAN controller management may become unreachable for 15-30 seconds which may causes APs to transition to standalone mode temporarily and prevent centrally switched WLANs from communicating.

Condition: A virtual controller's management interface is configured with a dot1q VLAN tag communicating through a virtual switch network configured with VLAN (4095 ALL) in promiscuous network. VMware network can be configured to "Notify Switches" causing RARP to be sent on VM's tagged interface for updating neighbors with CAM table seamlessly during vMotion transition. This is transparent to the VM. In the vWLAN controller deployment; hosts cannot know the vWLAN controller’s management or other interface dot1q tags so RARP is delivered untagged. This prevents CAM tables from learning of MAC update on proper VLAN ID and therefore a loss of communication to the vWLAN controller.

Workaround : Communication is established as soon as the vWLAN controller generates traffic through the new host after a vMotion event. No known workaround.

CSCud57046

Symptom : Client entry is seen on multiple controllers even when not anchored to the controller or part of its mobility group.

Condition: Not known.

Workaround : None.

CSCud57784

Symptom : In the Cisco 5508 Series Wireless Controller, when the MAC Filtering authentication is enabled from the GUI using the following procedure, client authentication fails.

Condition: The Cisco Aironet 1242 Access Point generates tracebacks and coredumps when upgraded to the Cisco WLC software version 7.4.100.60

Workaround: None.

CSCui19817

Symptom: Cisco Aironet 2600 Access Points fail to perform location calibration when using either the linear or by data points methods. Location calibration works for other models of access points.

Condition: When location calibration is performed when there are Cisco Aironet 2600 Series Access Points as part of the deployment.

Workaround: None.

CSCui20773

Symptom: BCAST queue is filled up displaying the following error:

Traplog indicates : "RX Multicast Queue Full"

Condition: Wireless clients send the IGMP report as soon as the query is sent by the Cisco WLC causing a Spike in Bcast queue. The spike is for very brief moment to cause queue to go full.

Ideally for each query, clients should send report within 10 seconds. So throttling would happen. But in some cases, if the application does not do backoff (it sends as soon as query is received) a Bcast queue full message is displayed.

Workaround: Increase IGMP query interval and timeout. If the queue is full and the IGMP query is not processed on first try, the stream will still not be affected until no report is received over the timeout value.

CSCui22463

Symptom: Cisco WLC fails to respond when software version 7.4.103.6 is used.

Condition: The Cisco WLC fails to respond when mDNS snooping enabled on software version 7.4.103.6.

Workaround: Disable mDNS snooping.

CSCui22736

Symptom: Unable to use debug pm pmk command.

Condition: Unable to use the debug pm pmk

Workaround: None

CSCui23134

Cisco WLC fails to respond with the task spamPacketDumpHandleIntraRoamCase

Symptom: Cisco WLC fails to respond with the task spamPacketDumpHandleIntraRoamCase

Condition: The Cisco WLC fails to respond when the ap packet-dump command is used.

Workaround: Do not use ap packet-dump feature.

CSCui23580

Symptom: RAP loses static Channel on 5 GHZ and 2.4GHZ channel get set to static when configured for auto.

Condition: When the RAP is configured with the following values:

RAP-1 - Set to Channel 100. 2.4 GHZ = Auto

RAP-2 - Set to Channel 161. 2.4 GHZ = Auto

Both RAPs are initially joined with wired connection to the Cisco WLC.

When RAP-1 eth link is lost/goes down, it joins over wireless backhaul through RAP-2. When eth connection is available RAP-1 joins over eth and gets set to channel 161 (remembers previous parents channel info) and 2.4 GHZ gets set to static channel 11.

Workaround: RAP eth connection is never lost. If eth connection is lost, RAP should not join another RAP.

cscue50917

Symptom: When a RAP loses its wired connection it fails to restore connectivity as a MAP through the radio backhaul.

The mesh adjacency is correctly build to a nearby MAP and the RAP gets an IP address and can even join its WLC, but shortly afterwards a radio reset is observed which causes the RAP to disconnect.

The RAP never settles down (it keeps on looping) till the wired connectivity is restored.

Symptom : In an HA scenario, when the default management gateway is broken, the standby or active controller goes into maintenance mode and never comes out of that mode even after the connection is restored.

Condition :

1. Configure an HA pair and configure a standby and active controller.

2. Shut down the management default gateway and ensure that one controller goes into maintenance mode after a reboot.

3. After some time, restore the management gateway connection and try to make the controller in maintenance mode come back to the corresponding mode after the connection is restored.

4. The controller always remains in the maintenance mode until a manual reboot is performed and the status is shown to be in negotiation.

Workaround : Perform a manual reboot of the controller.

CSCuc72493

Symptom: The APs disjoin after the switchover if the Cisco 8500 WLC has 6000 APs and 64000 clients on the full load.

Condition: This happens when the Cisco 8500 controller is fully loaded.

Further Problem Description : This issue does not allow an attacker to bypass any forms of authentication. An attacker that did access the private virtual management interface would need to provide valid credentials to gain access to the device.

CSCuj64462

Symptom: On the WLC or PI GUI, CleanAir operational status for one or more Cisco Aironet series access points shows 'Down' as operational status with reason 'CleanAir internal error [5]'. On the console log for the access point, there are messages such as the following:

The first page shows correctly, but it is not possible to browse to the subsequent pages.

Workaround : Use the show rogue adhoc summary command on the CLI.

CSCub89883

Symptom : System is unresponsive in different tasks after guest LAN is enabled.

Conditions :

Guest LAN

Cisco 5500 Series WLC using 7.2 or later releases

IPv6 traffic from clients

Workaround : Disable guest LAN or disable IPv6.

CSCuf56192

Symptom : Unable to delete an mDNS profile.

Conditions : When the mDNS profile is mapped to an interface and the interface is deleted.

Workaround : Before deleting the interface, detach the profile and then delete the interface.

CSCuj58556

Symptom : Cisco AP disconnects from primary and moves to secondary WLC because of memory allocation.

Conditions : Unknown.

Workaround : Reboot the Cisco AP.

CSCui73764

Symptom : Cisco 1240 and 1130 Series APs—DHCP does not work with FlexConnect and VLAN Native 2.

Conditions :

FlexConnect local switching

Cisco 1240 or 1130 Series APs

Cisco WLC Release 7.4.121.0 or earlier releases

VLAN Native 2

User unable to get IP address and to connect to the network

Workaround : Change the native VLAN to an unexpectedly higher number, so no WLAN will ever get mapped to a bridge group number that high.

Further Problem Description : Telnet to the FlexConnect mode AP. Example: VLAN3 is the native VLAN on the FlexConnect mode AP. The AP is correctly mapped to bridge group 1. The WLAN that does not work is the one that is mapped to VLAN2. VLAN2 is mapped to bridge group 3 (see below). This is the instance where the issues is encountered. It can be any WLAN-VLAN-Native VLAN combination.

OEAP600 frequently disconnecting when joined to controller with HA pair

CSCuh81757

ap3500 crash with TLB Miss in sig_channel_stats()

CSCuh87654

AP 3600 fails to generate coredump

CSCuh98417

One-way audio issue seen on spectralink 8400

Installation Notes

This section contains important information to keep in mind when installing controllers and access points.

Warnings

Warning This warning means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071

Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030

Warning Do not locate the antenna near overhead power lines or other electric light or power circuits, or where it can come into contact with such circuits. When installing the antenna, take extreme care not to come into contact with such circuits, as they may cause serious injury or death. For proper installation and grounding of the antenna, please refer to national and local codes (e.g. U.S.: NFPA 70, National Electrical Code, Article 810, Canada: Canadian Electrical Code, Section 54). Statement 280

Warning This product relies on the building’s installation for short-circuit (overcurrent) protection. Ensure that a fuse or circuit breaker no larger than 120 VAC, 15A U.S. (240 VAC, 10A international) is used on the phase conductors (all current-carrying conductors). Statement 13

Warning This equipment must be grounded. Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground connector. Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available. Statement 1024

Warning Read the installation instructions before you connect the system to its power source. Statement 10

Warning Do not work on the system or connect or disconnect any cables (Ethernet, cable, or power) during periods of lightning activity. The possibility of serious physical injury exists if lightning should strike and travel through those cables. In addition, the equipment could be damaged by the higher levels of static electricity present in the atmosphere. Statement 276

Warning Do not operate the unit near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such use. Statement 364

Warning In order to comply with radio frequency (RF) exposure limits, the antennas for this product should be positioned no less than 6.56 ft. (2 m) from your body or nearby persons. Statement 339

Warning This unit is intended for installation in restricted access areas. A restricted access area can be accessed only through the use of a special tool, lock and key, or other means of security. Statement 1017

Safety Information

Follow the guidelines in this section to ensure proper operation and safe use of the controllers and access points.

FCC Safety Compliance Statement

FCC Compliance with its action in ET Docket 96-8, has adopted a safety standard for human exposure to RF electromagnetic energy emitted by FCC-certified equipment. When used with approved Cisco Aironet antennas, Cisco Aironet products meet the uncontrolled environmental limits found in OET-65 and ANSI C95.1, 1991. Proper operation of this radio device according to the instructions in this publication results in user exposure substantially below the FCC recommended limits.

Safety Precautions

For your safety, and to help you achieve a good installation, read and follow these safety precautions. They might save your life!

1. If you are installing an antenna for the first time, for your own safety as well as others, seek professional assistance. Your Cisco sales representative can explain which mounting method to use for the size and type of antenna you are about to install.

2. Select your installation site with safety as well as performance in mind. Electric power lines and phone lines look alike. For your safety, assume that any overhead line can kill you.

3. Call your electric power company. Tell them your plans and ask them to come look at your proposed installation. This is a small inconvenience considering your life is at stake.

4. Plan your installation carefully and completely before you begin. Successfully raising a mast or tower is largely a matter of coordination. Each person should be assigned to a specific task and should know what to do and when to do it. One person should be in charge of the operation to issue instructions and watch for signs of trouble.

6. If the assembly starts to drop, get away from it and let it fall. Remember that the antenna, mast, cable, and metal guy wires are all excellent conductors of electrical current. Even the slightest touch of any of these parts to a power line completes an electrical path through the antenna and the installer: you!

7. If any part of an antenna system should come in contact with a power line, do not touch it or try to remove it yourself. Call your local power company. They will remove it safely.

8. If an accident should occur with the power lines, call for qualified emergency help immediately.

Installation Instructions

See the appropriate quick start guide or hardware installation guide for instructions on installing controllers and access points.

NoteTo meet regulatory restrictions, all external antenna configurations must be installed by experts.

Personnel installing the controllers and access points must understand wireless techniques and grounding methods. Access points with internal antennas can be installed by an experienced IT professional.

The controller must be installed by a network administrator or qualified IT professional, and the proper country code must be selected. Following installation, access to the controller should be password protected by the installer to maintain compliance with regulatory requirements and ensure proper unit functionality.

Service and Support

Information About Caveats

If you need information about a specific caveat that does not appear in these release notes, you can use the Cisco Bug Toolkit to find caveats of any severity. Click this URL to browse to the Bug Toolkit:

Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.